Google Wardriving: How Engineering Trumped Privacy

During a two-year period, Google captured oodles of Wi-Fi data worldwide as part of its Street View program. But why?

Blame the engineering ethos that's prevalent at high-technology companies like Google. You know the "more is more" mindset: more bells and whistles equals greater goodness.

Of course some technology giants, including Apple and Google, have produced products or services that succeed by distilling that approach. Rather than cramming every last feature into their products, these companies include only the best ones. For example, compare the 2003-era iPod to its rivals, or Google Search to its predecessors.

But an unfiltered engineering mindset would help explain the apparent thinking behind the Street View wardriving program: "Well, if this Wi-Fi data is flying around and no one is encrypting it, what reasonable expectation do they have that it won't be sniffed and stored?"

The "Engineer Doe" responsible for adding full payload data capture to the Street View program invoked his Fifth Amendment right against self-incrimination, and refused to be deposed by government lawyers. The FCC, meanwhile, only learned his identity--redacted from all documents Google had initially provided to the agency--because Google had disclosed it to state investigators. While the state in question wasn't named, a former state investigator who worked on the Google case has identified the engineer as Marius Milner, a former Lucent Technologies employee who joined Google in 2003.

Despite that revelation, we're still left to guess at his exact thoughts and motivations. Notably, however, he wasn't the only Google employee interested in the data. True, at first, Google blamed the entire episode on a "rogue engineer" who was hungry for the product possibilities such data might afford. But Google design documents later provided to the Federal Communications Commission demonstrated that managers had commissioned the wardriving program, to help them build Wi-Fi maps.

"As Street View testing progressed, Google engineers decided that the Company should also use the Street View for 'wardriving,' which is the practice of driving streets and using equipment to locate LANs using Wi-Fi, such as wireless hotspots at coffee shops and home wireless networks," according to the FCC's report. "By collecting information about Wi-Fi networks (such as the MAC address, SSID, and strength of signal received from the wireless access point) and associating it with global positioning system (GPS) information, companies can develop maps of wireless access points for use in location-based services."

Milner, the previously unnamed engineer that Google tapped to add the wardriving capabilities, went further by adding code to also record all unencrypted packets--or what's known as payload data--within range of Google's Street View cars, which he "thought might prove useful for other Google service," according to the FCC's report. Managers also signed off on these design documents, and at least one senior manager later asked the engineer to review the wardriving data set for interesting Web navigation statistics.

New Privacy Questions, Old Laws

Why didn't the initial payload-data-capture decision face legal review? Likely because Google is a company built by engineers, and run by engineers. The code rules. And in fact, Google employees told the FCC that anyone working full-time on the Street View project was allowed to modify the code--no approval needed--if they thought they could improve it.

But capturing payload data raises numerous privacy questions. Indeed, investigators in other countries found that the data captured by Google's Street View software--the same software was likely employed in the United States--could be highly sensitive. A 2010 report from Canada's Office of the Privacy Commissioner, for example, noted that it was "troubled to have found instances of particularly sensitive information, including computer login credentials (i.e., usernames and passwords), the details of legal infractions, and certain medical listings."

In 2011, meanwhile, France's Commission Nationale de l'Informatique et des Libertes examined a sample of payload data collected by Google in France, and found 656 MB of information, "including passwords for Internet sites and data related to Internet navigation, including passwords for Internet sites and data relating to online dating and pornographic sites," according to the FCC report. The French report suggests that combining the location data, together with the 6 MB of email data recovered--including details of at least one extramarital affair--would have allowed data miners to learn people's names, addresses, sexual preferences, and more.

If "more is more" rules for engineers, the privacy default is traditionally "more is less." People have the expectation that not everything they do or say should be a matter of public record. Accordingly, if you surreptitiously collect too much data, then you may be infringing people's right to privacy. Cue punishment.

But not here. The Justice Department and Federal Trade Commission both investigated Street View, and chose to not prosecute. The FCC in its report likewise said that collecting Wi-Fi data, at least in this case, didn't seem to fall under its ability to regulate the Communications Act of 1934. Furthermore, because Milner refused to testify, the FCC couldn't fully understand why he did what he did, and if his intentions were at all malicious.

But there's one thing everyone has agreed he didn't do. On Milner's design document to-do list was this entry: "[D]iscuss privacy considerations with Product Counsel." According to the FCC, "that never occurred."

If you suspect that having someone intercept your unencrypted Wi-Fi data might be against the law, think again. The FCC in its report noted that Google may not have done anything illegal, either by intercepting information, or analyzing it, especially because it left encrypted data alone. "Although Google also collected and stored encrypted communications sent over unencrypted Wi-Fi networks, the Bureau [meaning, the FCC] has found no evidence that Google accessed or did anything with such encrypted communications," according to its report. Thankfully, the FCC said that the unencrypted payload data appeared to have been accessed only twice: once by Milner to see if there was anything useful for creating Google products, and then in 2010 when Google supervisors verified that payload data had in fact been collected.

Google said that while the payload data collection shouldn't have happened, it hadn't violated any laws. Notably, it argued that the Wiretap Act allows for the interception of radio signals that are "readily accessible to the general public," meaning they're not scrambled or encrypted. The FCC appeared to agree.

To be clear: the Google Street View episode illustrates that people shouldn't have any expectations that their unencrypted data won't be captured. Hopefully, that revelation will provoke sharp questions in Congress about whether, in this day and age, the Wiretap Act or other communications regulations still work.

Should someone be allowed to park outside your house and intercept your Wi-Fi signals? People never used shortwave radios to send their usernames and passwords to their bank, or to search Google. But as the French and Canadian investigators found, Wi-Fi data can reveal numerous secrets. Shouldn't the law help safeguard those?

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our Cloud Security report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Yes, if you leave something valuable at the curb someone probably takes it. BUT, that would still be stealing and that is illegal! The Google case is different, folks left their valuables unencrypted on the digital curb and making a copy of it is not illegal.I tend to agree with you that the laws should not be changed, because we enter a gray area otherwise. For example, SSIDs are sent out unencrypted. So would picking those up be illegal then? If yes, all existing hardware would need to be upgraded or tossed. So if SSID would be consider OK, what about the hundreds of other possible forms of data packets sent? Do we need to detail each one in the law and make a determination of what is allowed to retrieve and what is not? That would be entirely unmaintainable.I rather see a change that adds clarity so that snooping unencrypted wireless data is explicitly allowed while making once again clear that unauthorized decryption of any data is not allowed. Sure, that puts the burden on consumers, but when they run wireless networks they should know what they are doing.

Not disagreeing, but in many other cases the FCC applied or has to apply different sets of rules to various services. For example, many rules apply to landline phone service that do not apply to VoIP services, although the use and intent are identical.The problem here is that the current laws do not allow the FCC to come to any other conclusion and if they do the rightwingers and teabags flip out and scream "Communists!".What Google did was legal, but it wasn't right and Google's take is that they stopped doing what they ethical, morally (but not legally) should not have done in the first place.

Neglecting issues of perceived bad taste, just how is it different? If a photographer or painter makes a picture of my garden from the street and gets filthy rich selling, is that immoral or illegal? Does it harm me?

If you have a good logical argument why it is, your point is valid. If not, your argument devolves a bit to the realm of feelings

And everyone should reconfigure their AP to not broadcast the SSID, but I drive around town and know most private citizens and a big number of businesses are not. The article also referenced coffee shops and businesses with old equipment, few are interested in wasting their 5-10 minutes in the coffee shop ensuring their WiFi is secure to their liking (so they can't MAN UP for someone else's oversight). Is the answer assume all WiFi is unsecure and not use it? No, but like any social media do and say nothing you do not want to be public knowledge. I agree with other posts here that say each individual is responsible for their use. The concept of privacy was fundamental in the Bill of Rights which protects against unlawful search and seizure and self incrimination, shall we eliminate it as well? I no more want any government taking care of my needs, than the greater risk represented by commercial firms or an ex stalking me with GPS on my phone and enabled by Google's WiFi maps. The worst in this entire article is a government agency with regulatory responsibility (the FCC) using a 1934 reference to wash their hands of that responsibility.

PS There have been a number of precedents set by paparazzi photographing over those high fences, so if you can catch that plane and the occupant spying on you, it is probably a prosecutible offense (depending on local laws of course). Similarly, I would even say that Google maps or any similar have legal restrictions on the degree of resolution they can publish (they have to obscure license plates? as one example).

Sorry but trolling the streets and collecting data to build information profiles should be considered the same as trolling through the other unencrypted data that flows from peoples homes such as in garbage cans, licence plate numbers and yes, photos of people in the windows of homes. It's one thing to see something, a completely other thing to use that for some commercial or other purpose.

If I sunbathe nude in my fenced backyard with no other houses overlooking me, but a person in an airplane flys over and sees me in all my hirsute glory, is (s)he a Peeping Tom? Of course not. And collecting data that is flying through the air unencrypted for anyone to see is not an invasion of privacy, either., though it may be bad manners (and bad taste) akin to staring down at me from the plane.

Frankly, running an unecrypted access point is EXACTLY like standing in front of an open window. If you do something, people might see. If you don't know how public you are, that is YOUR problem. Folks need to man up and accept responsibility for their own actions or inactions.

Or move to France, where the government will take care of all your needs...

"The FCC in its report noted that Google may not have done anything illegal, either by intercepting information, or analyzing it, especially because it left encrypted data alone." Actually, I believe this would contridict a long standing position of the FCC. Telephone transmission for many years have been regulated and were not encrypted (except for certain state and defense needs). It was and is relatively easy to intercept, record, and distribute these comunications, however, the law prevents such illegal or unauthorized "wiretapping." Wardriving, while targetting a different form or structure of comunication, is nonetheless more similar than dissimilar.

I think any state serious about their privacy laws to protect their citizens rights will share this interpretation (see EU reconsideration) as opposed to the "everyone should be automatically as intelligent as I and responsible" mindset. I could stop any number of people on the street and test them on their technological competence, drill them on IPv4 vs. v6 or 128 vs 256 bit encryption, but the vast majority are users not technicians and expect the system designers to be responsible. We may get there, but I don't think it is accurate to say we are already.

Still the access points not being configured for encryption by default is not an issue that should be addressed by a law it is merely an awareness issue. Do a story?

As for banking: if a bank exists that transmits passwords in the clear and does not use SSL encryption they are negligent to the point of being criminal. If you know of any, you should compile a list, and do a story on these negligent banks. All the sites that I use that require username and password use SSL when you log in (including this one). So really the only thing encrypting your WI-FI does is make sure your neighbors (or anyone nearby) doesnGÇÖt know what kind of websites you visit and the contents of them.

As for Comcast not requiring encryption that actually shocked me. I know when I previously had Comcast (before they changed their name or got bought by Comcast) they did require it (the installer was very adamant). And so did the DSL provider in my area. I guess saying that it was in a EULA was going a bit far.

JonoPorter: You raise excellent points. Locks do deter criminals. And in an ideal world, everyone would have the latest and greatest Wi-Fi tech. Everyone would understand how to secure that tech. Service providers would only give subscribers routers with strong encryption enabled, unique access passwords, as well as unique admin passwords. Best Buy and its ilk would only sell the same. And more to the point, they would have never done otherwise.

But that's simply not true. How many routers ship with no admin password, or encryption not enabled by default? What about five years ago? Ten years ago? How many legacy routers provided by service providers are still at large, and in use, but can only handle WEP or which shipped without encryption enabled by default? Are you saying that when granny does her banking, and someone's parked outside her house and intercepting her signals, it's her fault if her service provider shipped her -- or Belkin sold her -- a router that didn't have strong encryption enabled by default?

In terms of service providers requiring encryption, moreover, a quick Google search turns up examples to the contrary. For example, here's what Comcast says:

For basic security, select 64-bit WEP (Low) from the WEP Encryption Strength drop-down box. As a default, Comcast enables the current highest level of wireless security at the time of professional installation--the 128-bit WEP (High) Encryption. If your signal strength and link quality are poor, you may change the strength to 64-bit or disable it completely by choosing None. WEP Encryption is not necessary for gateway operation, but is recommended for enhanced network security.

Needless to say, someone with the right tools can often crack 64-bit WEP in a few minutes. Or if there's no "enhanced network security," well, is the consumer really the one at fault?

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.